Social Engineering & Cybercrime Remain Top Cyber Insurance Concerns

Ransomware garnered many of the cybercrime headlines in 2021 and 2022. Insurance carriers honed in on its devastating impacts, inspiring many insureds to put proper controls in place to help fend off such attacks. Research indicates that ransomware attacks have declined significantly over the past 12 months compared to 2021, and fewer companies are now paying ransoms. A 2022 survey of 300 U.S.-based information technology (IT) decision-makers regarding the impact of ransomware attacks on their organizations found that 25% of companies were victims of ransomware attacks over the past 12 months, a 61% decline from the previous 12-month period (source 3).



Filling the void left by fewer ransomware attacks, are fund transfer fraud (FTF) and social engineering attacks, which if not the most severe, remain the most frequent types of cyber claims for almost all carriers. While the cyber market has certainly grown in recent years, it hasn’t significantly expanded coverage for cybercrime, which typically remains sublimited to $100K - $250K. Cybercrime shares in the policy limit for first-party losses and pulls from the cyber policy’s aggregate limits, making it vital that policyholders do all they can to mitigate claim risk.

From 2020 to 2021, funds transfer fraud (FTF) losses rose 69% overall, and enterprises with less than $25M in revenue saw a frequency increase of 21%.1

Social engineering serves as the gateway for the vast majority of cybercrime, including FTF. During a given year, most organizations face more than 700+ social engineering attacks. With around 260 work days annually, that means employees are facing off against roughly 2.7 per day. Successful social engineering attacks depend on successfully tricking people by masquerading as a trusted contact. Malicious actors attempt to manipulate employees into clicking a malicious link or email attachment that allows the criminal to capture login credentials or similar information and gain entry to company systems. Once trust is established other attacks can occur, such as identity theft or the distribution of malware. Social engineering attacks are expensive, even if broader data breaches don’t follow. On average, companies lose $130,000 through money theft or destroyed data. In cases where additional attacks are deployed, the totals can reach hundreds of thousands, if not millions of dollars.4 When it comes to social engineering and subsequent fallout, insureds usually think of monetary theft, but attacks also often result in the fraudulent misappropriation of other things, such as cargo and property as well as goods or services.

Typically initiated through social engineering tactics like phishing and business email compromise, FTF is one of the easier ways to monetize a cyberattack. Once a cybercriminal gains access to a business email, hackers have the power to edit contracts or modify payment instructions, at times without ever triggering a security alert. Cybercriminals are also known to send payment instructions that appear to come from customers or vendors through spoof accounts made to look legitimate or by comprising the third party’s email system.2 Initial losses from FTF among small businesses jumped 102% to more than $309,000 in the second half of 2021.1

Smaller organizations are especially vulnerable to FTF attacks because they typically have a smaller digital footprint, leaving cybercriminals with less infrastructure and data to hold hostage in a ransomware attack.1


Cybercrime coverage is available to help protect policyholders against a variety of cyberattacks and potential claim scenarios, including:

Definition General Claim Scenario Funds Transfer Fraud (FTF) - Theft of money or securities from an insured’s transfer accounts at a financial institution occurring through fraudulent transfer instructions A construction subcontractor’s email is hacked without their knowledge. A cybercriminal then emails a long-time client advising the subcontractor has switched banks and needs to update account numbers. The client changes the account number, and the hacker creates a false invoice of $100K for work recently performed. The invoice appears legitimate and the client pays. The fraud doesn’t become apparent until the subcontractor contacts the client regarding payment for services. Social Engineering - The psychological manipulation of individuals into making security mistakes or divulging confidential information through human interactions An accounting department employee receives a blank email with a subject line about a “price change.” The email includes an attachment that appears to be an Excel spreadsheet. However, the “spreadsheet” is actually a disguised .html file that when opened, directs the employee to a website containing malicious code that triggers a notification advising the user they’ve been logged out of Microsoft 365 and asking them to re-enter their login credentials. The fraudulent web form sends the user’s credentials to the cybercriminals, allowing access to confidential system and network information. Invoice Manipulation - The distribution of a fraudulent invoice or payment instructions to a third party due to a security or data breach A bad actor uses an employee’s legitimate credentials they’ve stolen through social engineering to send a fraudulent invoice or payment instruction via the business’s authentic email. Computer Fraud - The use of a computer to help execute a scheme or illegal activity, such as stealing information or services A hacker illegally accesses a computer to alter information, such as work reports or student grades, etc. or sends computer viruses or worms with the intention of destroying another's computer.


When buying cyber insurance it is vital that insureds and agents understand the nature and extent of the risks facing the client. For some companies, like retail stores or banks, the primary concern is likely the theft of personal financial information. On the other hand, the primary risk to a utility or energy company is the disruption of critical businesses or physical operations through network attacks. Agents and insures should collaborate with a knowledgeable wholesale broker to tailor their cyber coverage to the specific risks they face, keeping the following in mind:

Call-back Requirements. These requirements are starting to creep back into policies around FTF and can be easy to overlook. Failing to comply can negate coverage in the event that a FTF claim is filed.

Other Property Coverage. Depending on the nature of the insured’s business, it can be vital to ensure coverage is extended to Other Property, not just money/securities. For example, a distribution business may be vulnerable to losing goods, physical supplies, or cargo.

Policy Overlap. Remember that a cyber policy and a crime policy can overlap, requiring brokers to work with carriers to determine which acts as primary and which acts as excess in a specific claim scenario.

98% of all cyberattacks involve some form of social engineering.4


These days underwriting often requires the completion of specific questionnaires or applications to obtain cybercrime coverage or to grow the coverage beyond standard sublimits. As a general rule, underwriters want to see regular employee training around phishing and confirmation that insureds have vendor controls in place to verify receipts and EFTs over a set amount. Knowing how to spot the signs of social engineering can make a difference, decreasing the likelihood that employees will engage or provide sensitive data to attackers. However, research shows that only 27% of companies provide employees with social engineering awareness training, leaving many organizations more vulnerable than they could be.4 Additional cybersecurity best practices include:

  • Utilizing Multi-Factor Authentication (MFA) for remote network/email and administrative access
  • Employing Endpoint Detection and Response (EDR) to monitor all endpoints
  • Using segregated/air-gapped backups
  • Testing off-site or cloud backups routinely


In today’s interconnected, digital economy no business is immune from the threat of cybercrime. Having the right insurance coverage in place can make all the difference in a company’s ability to respond to and recover from a cyber event.1 Agents and insureds would be wise to take a proactive stance toward obtaining cybercrime insurance, keeping in mind that there are many products available and multiple ways to purchase coverage. Leaning on the deep expertise of CRC’s brokers throughout the quoting and buying process can ensure that your clients receive the most appropriate coverage for the best possible price. Contact your local CRC Group producer today to discover how we can help protect your clients in today’s digital environment.


  • Paul Burge is a Broker with CRC Group’s Birmingham, AL office and a member of the ExecPro Practice Group.
  • Tyler O’Connor is a Broker with CRC Group’s Birmingham, AL office and a member of the ExecPro Practice Group.
  • Ross Robertson is Broker with CRC Group’s Birmingham, AL office and a member of the ExecPro Practice Group.


  1. Funds Transfer Fraud Skyrockets in 2021; Small Businesses Hit Hard, Insurance Journal, March 21, 2022.
  2. Small Businesses are Big Targets for Fund Transfer Fraud, PropertyCasualty360, March 1, 2022.
  3. Ransomware Attacks Decreased 61% in 2022, Security Magazine, January 11, 2023.
  4. 21 Social Engineering Statistics – 2022, Firewall Times, May 16, 2022.